5.2 Securing the Directory

5.2.1 Security Policy

We will now add some simple security to our directory using the access directive in slapd.conf.

We are going to build an Access Control Policy (ACP a.k.a. ACL) based on Corporate Policy (wow) which states:

The directory entry owner is able to see and update ALL the directory attributes including passwords.

Human Resources must be able to update ANY entry but must not be able to read or write the users password.

The Directory entries carlicence, homepostaddress and homephone must not be readable by anyone except human resources and the owner of the directory entry.

All users must authenticate (anonymous access is not allowed).

The IT department must be able to update or change the password entry on all directory entries.

Whatever your opinions of the above policy we are going to have to provide the access controls to implement it. The first thing we have do is to create two groups one for hrpeople and one for itpeople to enable us to assign group permissions. We will locate these groups using a groups branch under the DIT root. The diagram below shows our new structure.

Observant (or still awake) readers will have noted that the entry for member: cn=William Smith,ou=people,dc=example,dc=com does not currently exist in our DIT. This perfectly acceptable. No checks are made when adding the member attribute. In this case the only consequence will be that no current entry in our DIT will be a member of the itpeople group. Perhaps we forgot to add William Smith, or perhaps we'll add the entry later. Perhaps we just made a mistake!

Assuming we save the above LDIF as addgroups.ldif in our /tmp directory we load the LDIF file using ldapadd with a command like this (line below is split for HTML formatting reasons only and should be on a single line):

Note: The attributes carlicense and hometelephone do not appear in every entry of our currently created DIT and indeed homePostalAddress appears in no entry. This emphasises two points. First, the ACLs are expressions of our security policy and do not relate to the current contents of the DIT. Second, since all these attributes are part of the inetOrgPerson objectClass hierarchy (->organizationalPerson->Person) they could be added to any entry at any time in the future in which case the ACLs need to define our full access control policy from the beginning of our DIT creation.

5.2.4 Testing the ACL

We now need to test our newly established policy. To test the ACL use your LDAP Browser and:

Configure your LDAP browser to bind or authenticate using dn: cn=Robert Smith, ou=people, dc=example, dc=com with a userpassword of rJsmitH (case sensitive) and because this entry has hrpeople privileges it will see and be able to modify all entries including carlicense, homepostaladdress and homephone but not userpassword (except for his own entry).

Configure your LDAP browser to bind or authenticate using dn: cn=Sheri Smith, ou=people, dc=example, dc=com with a userpassword of sSmitH (case sensitive) and because this entry has itpeople privileges it will see and be able to modify the userpassword attribute of all entries but cannot see carlicense, homepostaladdress and homephone for any entry except her own.

Configure your LDAP browser to bind or authenticate using dn: cn=John Smith, ou=people, dc=example, dc=com with a userpassword of jSmitH (case sensitive) and because this entry has no privileges it cannot see carlicense, homepostaladdress, homephone and userpassword for any entry except his own (which he can also modify).

Configure your LDAP browser for anonymous access and confirm that access is denied.

Finally authenticate as our rootdn or superuser (defined in the slapd.conf as cn=jimbob,dc=example,dc=com, password dirtysecret) and confirm this overrides all our privileges and can see and modify everything.

Note: In all of the above tests you should be able to see with your LDAP Browser the groups branch and the hrpeople and itpeople entries. If you cannot then you may have set your Base DN (or Root DN) fields in the LDAP browser to ou=people,dc=example,dc=com, set this to dc=example,dc=com and you should now be able see (but not edit) the groups branch and its entries.

Step 3 - Expanded Hierarchy

Problems, comments, suggestions, corrections (including broken links) or something to add? Please take the time from a busy life to 'mail us' (at top of screen), the webmaster (below) or info-support at zytrax. You will have a warm inner glow for the rest of the day.